webfreeeasy

vibecoded

tjctf

Task: Next.js App Router chat app using vulnerable React 19.x Server Components. Solution: Exploit CVE-2025-55182 (React2Shell) for RCE, then extract the flag from .env in git commit history.

$ ls tags/ techniques/

rce git_history nextjs flight_protocol react_server_components cve_2025_55182 env_leak

react2shell_rcegit_history_extractionenv_file_recovery

vibecoded — TJCTF 2026

Description

i vibe coded a website and told gpt to make it secure so there is nothing you can do now!!!

English summary: A Next.js App Router chat application ("yap") where users can register, login, and post messages. Built with React Server Components on React 19.x. The developer claims it was "vibe coded" (AI-generated) and secured by GPT. The goal is to find the flag hidden on the server.

Analysis

Application Architecture

Framework: Next.js 15.x with App Router (build ID: 5VGptBeLn4iPBWXBhhT5c)
Frontend: React Server Components with Flight protocol
Database: SQLite at /var/lib/yap/data.db
Auth: Unsigned cookie yap_user=<username> (HttpOnly, plain text)
Proxy: Go-based reverse proxy forwarding only GET/POST to /

Server Action IDs (from page source)

Login:    40cecd84ea8f6a2e4fc21505453351fd6313e28428
Register: 40ed6c0b53c7f99c3fa4946ff1d02a94a11906dcc9
Post yap: 401f68b86df260cd0037fbe5c9a5c671a3920b1f78
Logout:   000791216483786dde7eac56bee8877a5a2f9b928d

Pre-seeded Content

User 'zain' had a welcome message: "Welcome to the yap chat app! This is a pretty cool chat app 100% made by humans. Source: true me bro."

Vulnerability: CVE-2025-55182 (React2Shell)

The application uses a vulnerable version of React (19.0.0–19.2.x) with React Server Components. CVE-2025-55182 is a critical Remote Code Execution vulnerability that allows an attacker to execute arbitrary code on the server by sending specially crafted HTTP requests to Server Function endpoints via the RSC Flight protocol.

Related CVEs in the same family:

CVE-2025-55182 (Critical): Remote Code Execution via prototype chain traversal in Flight protocol
CVE-2025-55183 (Medium): Server Function Source Code Disclosure (toString() not overridden on Server References)
CVE-2025-55184 (High): Denial of Service via infinite loop

References:

React blog: https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
Next.js advisory: https://nextjs.org/blog/security-update-2025-12-11
GitHub Advisory: GHSA-w37m-7fhw-fmv9

Solution

Step 1: Identify the Vulnerable Stack

The page source reveals Next.js App Router with React Server Components (Flight protocol visible in self.__next_f.push() calls). Server action IDs with $ACTION_ID_ prefix confirm RSC server actions are in use. The React version (19.x) is vulnerable to CVE-2025-55182.

Step 2: Exploit CVE-2025-55182 (React2Shell)

The CVE allows pre-auth RCE through prototype chain traversal in the Flight protocol. By crafting a malicious RSC payload targeting the server action endpoints, arbitrary commands can be executed on the server.

Step 3: Extract Flag from Git History

With shell access on the server:

Enumerate the application directory — find a .git repository
Check git log — discover that .env was present in an earlier commit but later removed
Extract the flag from the initial commit where .env contained FLAG=tjctf{...}

The flag was found in git commit 0692a5a01fa58dfd28e1e449a3e876c2f62162b0:

.env:1:FLAG=tjctf{th1s_1s_Y_w3_d0nt_vibeeee_codeeee_sv3lte_ov3r_r34ct_any_d4y_r34ct_s3rv3r_c0mp0n3nts_CVE-2025-55182}

Exploit Script (Conceptual)

#!/usr/bin/env python3
"""
vibecoded - TJCTF 2026
Exploit CVE-2025-55182 (React2Shell) for RCE on Next.js RSC app
"""

import requests

TARGET = "https://vibecoded.tjc.tf"

# Server action IDs discovered from page source
POST_ACTION = "401f68b86df260cd0037fbe5c9a5c671a3920b1f78"

# Step 1: Exploit CVE-2025-55182 via Flight protocol
# The vulnerability allows prototype chain traversal in RSC deserialization
# to achieve arbitrary code execution on the server

# Step 2: With RCE, enumerate git history
# git log --all --oneline
# git log --diff-filter=D -- .env
# git show <commit>:.env

# Step 3: Extract flag from removed .env file
# git show 0692a5a01fa58dfd28e1e449a3e876c2f62162b0:.env
# Output: FLAG=tjctf{th1s_1s_Y_w3_d0nt_vibeeee_codeeee_sv3lte_ov3r_r34ct_any_d4y_r34ct_s3rv3r_c0mp0n3nts_CVE-2025-55182}

What Didn't Work

SQL injection: All queries use parameterized statements
XSS: Content is properly escaped; dangerouslySetInnerHTML only used for error page CSS
IDOR via cookie manipulation: All users see the same shared content
Password brute-force: Common passwords didn't match 'zain' account
Hidden routes: Bloom filter only has 2 items, no admin panels
CVE-2025-29927 (Next.js middleware bypass): No hidden routes to access
Source maps / debug endpoints: All returned 404

$ cat /etc/motd

Liked this one?

Pro unlocks every writeup, every flag, and API access. $9/mo.

$ cat pricing.md

$ grep --similar

Similar writeups

[web][free]ReactOOPS— hackthebox
[misc][Pro]good-vibes— dicega
[web][Pro]Lanternfall— neurogrid
[web][Pro]Lab 385 — SprintForge — Prototype Pollution to RCE via React Flight Protocol— hackadvisor
[web][free]DoxPit— hackthebox